GitLab: Persistent XSS on public wiki pages

ID H1:136333
Type hackerone
Reporter jobert
Modified 2016-07-27T21:44:23



There's a persistent cross-site scripting (XSS) vulnerability in the wiki pages. This can lead to an account take over via the leaked API token.

Proof of concept

As an attacker, create a new public repository. Make sure you have a client that is allowed to push to that repository. For this PoC, lets say the repository is located at On the client, execute the following commands:

git clone cd test echo "<script>alert('Hello world!');</script>" > index.html git add index.html git commit -m "This message is super important" git push

Now go to As you will see, this executes the JavaScript that is stored in the file.



GitLab doesn't have a content security policy, which means that clients allow inline Javascript to be executed. This gives access to the current user its API token. The API token can be used to access the user its projects, do actions as the user, give access to potential confidential information, etc.